Some wordpress themes downloaded from a popular site have been infected with adware/malware.
More details later.
Popularity: 20% [?]
Hot on the heels of the Are you a security wizard quiz, here’s yet another way to test your level of paranoia security awareness. This time, the area of awareness being tested is email phishing scams, and the tester is McAfee.
Check out the McAfee SiteAdvisor Phishing Quiz to see how good you are at spotting fake websites that can will steal your information and cause you a whole world of hurt if you’re not careful. There are also a couple of questions about email scams thrown in for good measure.
The real value of the quiz comes at the end, where you are given the correct answers with details on how you could have spotted the fakes. Study those details.
My opinion of the quiz?
…pretty tough, actually. The first thing I check when I’m inspecting a suspicious site is the URL address, and I’ve gotten pretty good at spotting trouble just based on that alone. But some of the questions didn’t have the URL visible, so you had to actually READ the page’s content to figure out if it was real or fake. Out of those must-read questions, most were easy to spot if you knew what to look for, but one or two were actually pretty convincing fakes. A couple of email questions will probably throw you if you don’t have a decent grasp of net-geekery, paranoia, or both. I don’t know what McAfee would consider a “passing” score, but with question difficulties that range from “too easy” to “OMG, they got me!”, I’d say that an average score would be around 6. But remember, all it takes is ONE fake site to get past your paranoia-filter, and your identity is hosed. So nothing short of a perfect 10 out of 10 questions correct is really “passing”.
Oh… my score? 9/10 scams spotted.
I failed.
Popularity: 15% [?]
Some ISP’s have taken to altering web pages in transit… this means that what you see in your browser may NOT be what was actually sent from the server.
In other words, you are seeing what your ISP WANTS you to see rather than what the creator of the web page you’re viewing wants you to see. Right now, this foolishness is limited to inserting ads, but who knows where this slippery slope might lead. That’s not censorship, but it is some serious BS.
Don’t get me wrong… I don’t have a problem with advertising. But I DO have a problem with what essentially is a man in the middle attack perpetrated by ISPs.
So how can you tell if YOUR should be in the market for a new ISP?
Easy. The University of Washington is doing some research into the matter, and they have a tool that will test your ISP’s level of asshattery. Just visit the page and look at the results.
Popularity: 16% [?]
My FTP client of choice these days is a nicely-featured freebie named Filezilla. I’ve used it for a year with no problems.
But suddenly my anti-virus software (Norton) started alerting me that it has found adware on my computer. First it found Adware.Cpush in the Filezilla uninstaller. It analyzed the program and subsequently quarantined it… then a day later it did the same for some other Filezilla component. Then another. Then it told me that one of the Filezilla-related entries in my registry was infected with Adware.Cpush. And then another one.
If this keeps up, Norton will eventually quarantine one of the files that Filezilla needs in order to function. At that point, I will need to remove either Norton or Filezilla, and since this is a work computer, I don’t think the boss will take too kindly to me uninstalling the antivirus software so that I can upload files with an open source FTP client. Fortunately I have other computers I can use that don’t have the Norton “problem” so it’s not a big deal. For me.
For those who’re getting the “Adware.Cpush” message from Norton and came here wondering WTF, rest assured that Filezilla is NOT adware. You are witnessing what is called a False Positive. Perhaps updating your virus definitions will solve the problem. Perhaps not. But realize that updating your virus definitions is what CAUSED the problem in the first damn place. I can’t even try because I’m traveling at the moment, but trust me, your problem is Norton, not Filezilla. Remember that when it comes time to make a choice on which application to keep.
Popularity: 17% [?]
Why, yes..
…Yes I am!
 |
| Are You an Internet Security Wizard? |
This was an interesting quiz, but more fun than useful. Most of the questions were simple, but I still managed to miss two. There’s a downloadable PDF with the correct answers once you’re done.
Popularity: 8% [?]
Jeff Atwood over at CodingHorror.com recently made a post detailing his steps in acquiring and (more importantly) cleaning up a nasty Windows spyware infestation. The post and the discussion that follows are a must-read as far as I’m concerned. His steps go far into the realm of tech-voodoo and are not for the non-geek or feint of heart. Your mileage in following those steps may vary depending on the level of fubar you have on your machine.
Popularity: 6% [?]
Some people just don’t get it.
By “It”, I mean the difference between warning people about the dangers of playing with sharp sticks and leaving a crate of authentic Zulu spears on your front porch.
What the hell am I talking about?
This blog’s inaugural entry contains detailed instructions… including source code… on how to conduct a Cross-Site scripting attack.
Yes, information wants to be free.
Yes, the people need to know.
Yes, (insert other vomit-inducing cliche here)… but COME ON!
It amazes me how many bloggers and so-called “security experts” go around handing out loaded guns in the interest of promoting gun safety.
Source Code?
SOURCE CODE!?!
No one needs the source code of an XSS attack in order to protect themselves from XSS attack. Ditto for any other scripting or software-based attack. So what, exactly, is the point of posting code+instructions and saying, in no uncertain terms, “Here, go play with these hand grenades, and if you blow something up real good, send me a picture!”
Are you trying to educate the programmers about the holes in their code? Code is their life and livelihood… DESCRIBE the problem and they can write their own code without your help. Are you trying to prove that it can be done? Then DO it… post a screenshot of it being done instead of instructions/code on how to do it. Are you trying to entice a new generation of script-kiddies to perform attacks on the unsuspecting web-public by giving them live ammo to play with? Hmm…
I’m not one of those people who thinks information I don’t like should be hidden or restricted. But I don’t think information of this type should be actively disseminated, either. Should the information be available? Yeah… maybe… that’s debatable. Personally, I’m leaning toward “yes”. Somewhere. But being “out there somewhere” is a lot different than me painting it on a billboard in my front yard. Unless, of course, I have some ulterior motive (like: “I hate the MPAA so I’m going to post the AACS key” or “I hate Yahoo so I’m going to show the world how to screw them.”) If that’s the case, then I won’t do it under the guise of being concerned about security. If security awareness IS my main objective, then the last thing I’m going to do is hand out source code for exploits. That’s sort of like having sex to support virginity.
BY THE WAY:
For real information about XSS attacks that (last time I checked) didn’t contain actual source code, try:
http://en.wikipedia.org/wiki/Xss
http://www.cgisecurity.com/articles/xss-faq.shtml
Popularity: 100% [?]
Powered by WordPress, Mandigo theme by tom.
Entries (RSS)
and Comments (RSS).
